AutoProtect is disabled on a system running Endpoint Protection for Linux

You find that, contrary to expectation, AutoProtect (AP) is not enabled on a system running Symantec Endpoint Protection (SEP) for Linux. When you run systemctl status autoprotect.service -l, it is indicated that one or more of our kernel modules could not be loaded.

SEP for Linux (any version)

[root@yoursystem /]# /opt/Symantec/symantec_antivirus/sav info -a

Disabled

AP involves multiple parts:

symev, the kernel module responsible for intercepting system calls (opening, reading, writing or executing a file) and passing on file access information to symap;

symap, the kernel module responsible for forwarding file information to rtvscand for any file that needs scanning –if it concerns a write operation, or if the file being opened, read or executed is not found in the clean file cache (a fairly small list of clean files, meant to prevent continuous rescanning, which is cleared after a reboot);

rtvscand, the user space process that loads the definitions and performs the actual scanning, using 10 scanning threads that can be triggered by symap.

If any of these parts is not functional, AP will not work. Possible root causes include:

symev is unable to load, perhaps due to an incompatible glibc version;

symap is unable to load, perhaps as a result of an auto-compilation failure in combination with an unsupported OS or kernel;

rtvscand is unable to load the definitions.

Perform the following steps:

Uninstall SEP and perform a "CleanWipe", by issuing the following command from the directory containing the SEP installation files:

Ensure all dependencies are in place. These are listed in the System Requirements article for your version of SEP for Linux, referred to in related article TECH163829. For RedHat-based Linux distributions, run the following command:

Attempt to install SEP for Linux again. If both the installation and auto-compile (if applicable) succeed, but the AutoProtect status continues to be Disabled, then ensure symev and symap are loaded, by running systemctl status autoprotect.service -l. If they are, verify that rtvscand is running, using /etc/init.d/rtvscand status.

If rtvscand is running, run /opt/Symantec/symantec_antivirus/sav liveupdate -u. If it completes succesfully, check the AutoProtect status again. If its status remains Disabled, navigate to the virus definitions directory (cd /opt/Symantec/virusdefs) and verify whether or not at least one YYYYMMDD.xxx definitions folder is present and cat definfo.dat usage.dat indicates it is in use. If that should not be the case (or if the LiveUpdate failed, for that matter), then see the Related Articles section below this article and follow the instructions to update the system using Intelligent Updater definitions. The goal here is to exclude a possible definitions processing issue.

If the update succeeds, and AutoProtect is shown to be running, you may have a networking issue that prevents the download of definitions. If using SEPM, you will want to verify client-server communication is possible (using wget http://management_server_address:8014/secars/secars.dll?hello,secars). If this should fail, then refer to related article TECH160964. If you have an internal proxy, you will need to configure your system to use it (using export http_proxy=internal_proxy_ip_address:3128 –note that your proxy port may be different).

If the issue continues to persist, in spite of having tried all the aforementioned steps, then run /opt/Symantec/symantec_antivirus/sadiag.sh, generate a SymDiag (see related article TECH170752) and provide the resulting files to Symantec Support.

Subscribing will provide email updates when this Article is updated. Login is required.